Improve PKI policy scoping and applicability statements

[ryancdickson]

In a future CCADB policy update, we should consider adding guidance to promote further consistency with CA Owner PKI policy document (i.e., CP, CPS, or combined CP/CPS) scoping and applicability. The intended outcome is reduced ambiguity and compliance friction.

Rough Ideas (suggestions welcome):

• Any given policy should explicitly identify in-scope CAs, similar to the way Audit Attestation Letters currently do. Maybe certificate hashes or SPKIhashes in a standardized reporting format? Though this can be reconstructed using CCADB Reports - it should be more transparent. This is an example of good practice.
• Some PKI hierarchies maintain both a “use-case specific” CP/CPS (i.e., a CP/CPS that exclusively covers the policies and practices related to the issuance of server authentication certificates) and other policies applicable to other PKI use cases (e.g., A “multi-purpose” CP that covers Code Signing and S/MIME, a Code Signing CPS, and an S/MIME CPS). There should be a description of each document’s applicability - and how multiple co-existing policies relate to one another. The same should be true when externally-operated CA Owner policies exist in a hierarchy (e.g., how does an externally-operated subordinate CA’s CP/CPS relate to its certificate issuer’s? What is the order of precedence?).

[dustinhollenback-apple]

Here is an early draft of potential details to include for these topics:

1.4 Policy Applicability to CA Certificates

This section identifies the CA certificates to which this policy document applies.
Each row in the table corresponds to a single CA, uniquely identified by its SPKI SHA‑256 hash.

CA certificate details MUST be included for:

• The Root CA(s) associated with this policy document.
• Any cross-signed CA certificate whose issuer is a CA within a hierarchy covered by this document.
• Any Subordinate CA certificate signed by a CA within a hierarchy covered by this document when the document does not apply to that Subordinate CA.

This ensures that policy applicability is explicit and does not rely on inference from hierarchy structure, naming conventions, or CCADB metadata.

Policy Applicability Table

Applicable CA Certificate Common Name	Applicable CA SPKI SHA‑256 Hash	Parent CA Certificate Common Name	Parent CA SPKI SHA‑256 Hash	Root CA Certificate Common Name	Root CA SPKI SHA‑256 Hash	Document Applies to This CA? (TRUE/FALSE)	Document Applies to All Subordinate CAs of This CA? (TRUE/FALSE)

1.5 Comprehensive Disclosure of PKI Policy Documents

CA Owners MUST provide sufficient information to enable reviewers to understand all Certificate Policy (CP), Certification Practice Statement (CPS), or combined CP/CPS documents associated with the PKI hierarchy. This requirement applies to both internally‑operated and externally‑operated CAs.

Each policy document disclosure MUST include:

1. Document Identification

   • Title of the document (e.g., "TLS Server Authentication CPS").
   • Document type (CP, CPS, or CP/CPS).
   • Effective date and version number.

2. Applicability Statement

   • A clear description of the PKI use case(s) covered (e.g., TLS, S/MIME, Code Signing).
   • Explicit identification of the CA certificates to which the document applies, using the Applicability Table defined in Section 1.4.
   • If the document does not apply to certain CAs within the hierarchy, those CAs MUST be listed with applicability marked FALSE.

3. Relationship to Other Policy Documents

   • Where multiple policy documents exist within the hierarchy, the CA Owner MUST describe how they relate to one another, including:
     • Whether one document supersedes or supplements another.
     • The order of precedence in case of conflict or statement that all policy documents are applicable when multiple of same document type are active and assigned to same hierarchy at the same time
     • How multi‑purpose CPs interact with use‑case‑specific CPS documents.
   • For externally‑operated subordinate CAs, the CA Owner MUST describe how the subordinate’s CP/CPS relates to the issuer’s CP/CPS.
   • For cross-signed CAs, the CA Owner MUST describe which policy documents are

4. Hierarchy Coverage

   • CA Owners MUST ensure that every Root CA and every Subordinate CA disclosed in CCADB is covered by at least one applicable policy document.
   • Cross‑signed CA certificates MUST be explicitly identified and associated with the relevant policy document(s).

This disclosure ensures that all policy and practice documents within a PKI hierarchy can be understood in context, without requiring inference from hierarchy structure or document naming conventions.